Communications Programming Concepts - Xerox Network Systems
Windows NT Remote Access Service (RAS) connects remote or mobile workers to corporate networks. Windows NT RAS is a dial-up networking product and appears on the desktop as a Dial-Up Networking icon. This chapter explains the basic operation of Windows NT RAS and how to implement Windows NT Server RAS in a Windows NT Server network. This includes Overview of the major components of RAS Remote access clients and servers Local-area network (LAN) protocols—TCP/IP, IPX, and NetBEUI Remote access protocols—Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), and Microsoft RAS protocol Wide-area network (WAN) options—telephone lines, ISDN, X.25, and PPTP Security features For additional information about the Remote Access Service, see RAS online Help. RAS allows remote users on the following systems to work as if they were connected directly to the network: Windows NT, Windows for Workgroups, MS-DOS version 3.1 or later (RAS version 1.1a), and MS OS/2 version 3.1 (RAS version 1.1). Users run the RAS graphical phonebook on a remote computer and then initiate a connection to the RAS server using a local modem, X.25, or ISDN card. The RAS server, running on a Windows NT Server computer, authenticates the users and services the sessions until terminated by the user or network administrator. All services typically available to a LAN-connected user (including file- and print-sharing, database access and messaging) are enabled by means of the RAS connection. The following figure depicts the RAS architecture: Figure 9.1 RAS Architecture Note that remote clients use standard tools to access resources. For example, the Explorer is used to make drive connections and used to connect printers. Connections are persistent: Users do not need to re-connect to network resources during their remote sessions. Because drive letters and Universal Name Convention (UNC) names are fully supported in RAS, most commercial and custom applications work without modification. The distinctions between RAS and remote control solutions (such as Cubix and pcANYWHERE) are important: RAS is a software-based multi-protocol router; remote control solutions work by sharing screen, keyboard and mouse over the remote link. In a remote control solution, users share a CPU or multiple CPUs on the server. The RAS server's CPU is dedicated to communications, not to running applications. This architectural difference has significant implications in two areas: scalability and software applications architecture. In the area of scalability, consider the problem of increasing the capacity or performance of a remote-control server. For best performance, an additional or upgraded CPU or computer would need to be purchased for every port to be added or upgraded. With RAS, additional ports can be added without upgrading the server computer. When it does require an upgrade, the RAS Server would generally get additional RAM, a less costly approach than with remote-control. With Windows NT, a single server can scale to support hundreds of remote users, using far fewer hardware resources than a remote control solution. In software applications architecture, the RAS client normally executes applications from the remote workstation. Because network traffic is reduced, the user achieves higher performance. So the RAS arrangement is better suited to graphical, client-server–based applications. Contrast this with the remote control client, which runs applications from the host-side CPU. Remote control, however, can be useful in nonclient-server environments; for example when you are remotely debugging a computer and you want to see the current desktop of the remote computer. A Windows NT RAS configuration includes the following components: Windows NT, Windows™ for Workgroups, MS-DOS, and LAN Manager RAS clients can all connect to a Windows NT RAS server. Clients can also be any non-Microsoft PPP client. The Windows NT Server RAS permits up to 256 remote clients to dial in. The RAS server can be configured to provide access to an entire network or restrict access to the RAS server only. LAN protocols transport packets across a local-area network (LAN), whereas remote access protocols control the transmission of data over the wide-area network (WAN).Windows NT supports LAN protocols such as TCP/IP, IPX, and NetBEUI, which enable access to the Internet and to NetWare and UNIX servers. Windows NT supports Remote Access Protocols such as PPP, SLIP on RAS clients, and the Microsoft RAS Protocol. Clients can dial in using standard telephone lines and a modem or modem pool. Faster links are possible using ISDN. You can also connect RAS clients to RAS servers using X.25, an RS-232C null modem, or using the new Point-to-Point Tunneling Protocol (PPTP). RAS enables Windows NT to provide complete services to the Internet. A Windows NT Server computer can be configured as an Internet service provider, offering dial-up Internet connections to a PPP client. A computer running Windows NT Workstation can dial into an Internet-connected computer running Windows NT Server 3.5 or later or to any one of a variety of industry-standard PPP or SLIP-based Internet servers. For more information see the Windows NT Resource Kit Internet Guide. Windows NT logon and domain security, support for security hosts, data encryption, and callback provide secure network access for remote clients. The following picture illustrates all RAS features and possible configurations. Actual implementations and configurations will vary and are discussed in this book. Overview of Windows NT Server RAS Clients connecting to Windows NT RAS servers can be Windows NT, Windows 95, Microsoft Windows for Workgroups, MS-DOS, LAN Manager, or any PPP client. The client must have a modem (9600 baud or above is recommended for acceptable performance), an og telephone line or other WAN connection, and remote access software installed. Connecting is automatic with the new RAS AutoDial feature. AutoDial learns every connection made over the RAS link and automatically reconnects you when you access a resource for the second time. For more information, see the section on automatic dialing in Chapter 6, "Installing and Configuring Remote Access Server." Connecting can also be automated for any Microsoft client with a simple batch file and the rasdial command or with a custom, RAS-aware application using the appropriate Application Programming Interface for RAS. You can also schedule automatic backups to or from remote computers by using RAS and the at command. Windows NT version 3.5x and Windows 95 clients can take full advantage of Windows NT version 4.0 RAS features, except for Multilink functionality. Windows NT version 3.5x and Windows 95 clients can also connect to any non-Microsoft remote access PPP server or SLIP server. Windows NT version 3.5x and Windows 95 clients negotiate logon and authentication with the server, whether the server is a Microsoft RAS server, a PPP server, or a SLIP server. You can also configure RAS phonebook entries to use scripts that can completely automate logon. Windows NT version 3.1 clients use the Microsoft RAS protocol and are fully compatible with all versions of Microsoft RAS. These clients do not support the PPP protocol introduced in Windows NT version 3.5. Only Windows NT version 3.5x or other PPP clients provide the support necessary to run TCP/IP or IPX applications on clients that directly communicate with servers on the LAN using TCP/IP or IPX. Windows NT Server provides a Microsoft Network Client version 3.0 for MS-DOS and a Windows for Workgroups client that provide remote access. Separately purchased Windows for Workgroups and LAN Manager RAS clients can also connect to Windows NT version 3.5 or later RAS servers. These clients are fully (3.5x) compatible with all versions of Microsoft RAS protocol. The Microsoft Network Client version 3.0 for MS-DOS must be set up to use the full redirector (the default setting.) If the basic redirector is used, the Remote Access program rasphone will not start. The Windows for Workgroups, MS-DOS, and LAN Manager clients can use the RAS NetBIOS gateway to access NetBIOS servers running TCP/IP, IPX, or NetBEUI, but these clients cannot run applications that must use TCP/IP or IPX on the client. These clients also do not support the PPP protocol introduced in Windows NT version 3.5. Non-Microsoft PPP clients using TCP/IP, IPX, or NetBEUI can access a Windows NT version 3.5 or later RAS server. The RAS server will automatically negotiate authentication with PPP clients; the Windows NT RAS software needs no special configuration for non-Microsoft PPP clients. For more information about your PPP client, see the software documentation for your PPP client. Windows NT Server administrators use the Remote Access Admin program to control the Remote Access server, view users, grant permissions, and monitor Remote Access traffic. For more information about using the Remote Access Admin program, see RAS online Help. The server must have a multiport adapter or modems (9600 baud or above is recommended for acceptable performance), og telephone lines or other WAN connections, and the RAS software installed. If the server will provide access to the network, a separate network adapter card must be installed and connected for each network the server will provide access to. RAS servers are configured during initial RAS setup. You must specify whether access will be to the entire network or to the RAS server only. You must also select the protocols to use on the LAN (IPX, TCP/IP, and NetBEUI) and an authentication encryption option. For more information about remote access protocols and LAN protocols, see those sections elsewhere in this chapter. Ports on RAS servers are configured individually. Each port can be set to Dial Out Only, Receive Calls Only, or Dial Out And Receive Calls. These settings affect only the port specified, not all ports. For example, your RAS server can be configured to provide access to the entire network, COM1 can be configured to receive calls, and COM2 can be configured for dial out and receive. A remote user can call in on either COM port, but a local user can use only COM2 for outbound RAS calls. Events and errors are recorded in Event Viewer on Windows NT RAS clients and servers. Evaluating the log in Event Viewer can help you determine the source of problems. Use the Control Panel Network option to install and configure RAS. Use the Control Panel Services option to specify startup options. The Windows NT Server RAS permits up to 256 remote clients to dial in. The RAS server can be configured to provide access to an entire network or restrict access to resources on the RAS server only. For more information about installing and configuring RAS, see Chapter 6, "Installing and Configuring Remote Access Service." Windows NT supports LAN protocols such as TCP/IP, IPX, and NetBEUI, and Remote Access Protocols such as PPP, SLIP, and the Microsoft RAS Protocol. LAN protocols transport packets across a local-area network (LAN), whereas remote access protocols control the transmission of data over the wide-area network (WAN). The protocol(s) used in the existing network affect how you plan, integrate, and configure RAS. Windows NT RAS supports TCP/IP, IPX, and NetBEUI. This support means you can integrate Windows NT RAS into existing Microsoft, UNIX, or NetWare networks using the PPP remote access standard. Windows NT RAS clients can also connect to existing SLIP-based remote access servers (primarily UNIX servers). When you install and configure RAS, any protocols already installed on the computer (TCP/IP, IPX, and NetBEUI) are automatically enabled for RAS on inbound and outbound calls. You must also specify if you want to provide access to the entire LAN; otherwise, users will be able to access only the RAS server. If you provide access to the entire LAN using TCP/IP or IPX, you must also configure how the server will provide IP addresses or IPX net numbers. If you provide access to the entire LAN using NetBEUI, no additional configuration is needed. TCP/IP is one of the most popular protocols. Its routing capabilities provide maximum flexibility in an enterprise-wide network. On a TCP/IP network, you must provide IP addresses to clients. Clients might also require a naming service or method for name resolution. This section explains IP addressing and name resolution for Windows NT RAS servers and clients on TCP/IP networks. For information about implementing the Microsoft TCP/IP protocol in a network, see Chapter 1 "Microsoft TCP/IP and Related Services for Windows NT." In Windows NT, each remote computer connecting to a RAS server through PPP on a Microsoft TCP/IP network is automatically provided an IP address from a static range assigned to the RAS server by the administrator during setup. Windows NT RAS clients can also use a preassigned IP address specified in their phonebook. In this case, the Windows NT RAS server must be configured to permit users to request a specific address. In addition to requiring an IP address, RAS servers and clients on a TCP/IP network might require a mechanism to map computer names to IP addresses. Four name resolution options are available on a Windows NT network: Windows Internet Name Service (WINS), broadcast name resolution, Domain Name System (DNS), and the HOSTS and LMHOSTS files. RAS servers can use all these name resolution methods for operations performed on the server. RAS clients are assigned the same WINS and DNS servers that are assigned to the RAS server. You must use the Registry to override this automatic assignment. For more information about overriding the automatic assignment of WINS and DNS servers, see Appendix A, "RAS Registry Values." RAS clients in small networks where IP addresses do not change can use a HOSTS or LMHOSTS file for name resolution. By using these files on the local drive, you do not need to transmit name resolution requests to a WINS server and wait for the response over the modem. For information about name resolution on a Microsoft TCP/IP network, see Chapter 3 "Implementation Considerations." The Windows NT RAS server enables remote clients to share subnet addresses with computers on the LAN, thereby conserving IP addresses. For more information on TCP/IP addressing, see Chapter 2, "Microsoft TCP/IP Architecture." Note Remote access servers from other vendors might require that remote clients have a different subnet address than clients on the LAN. If remote clients dial into another vendor's remote access server and cannot connect to resources on the LAN, check the following configuration on your remote access server: If your third-party remote access server does not support proxy-ARP (Address Resolution Protocol), your remote clients must be assigned a different subnet address than LAN clients. Be sure your server is configured to assign remote clients with a subnet address that is unique on your LAN. Ensure that your network routers are configured so that remote access clients can use ping on target hosts, and vice versa. Use ping in the following order: Remote client to target server, then remote client to remote access server, then remote access server to target server. Target server to remote client, then target server to remote access server, then remote access server to remote client. Support for Serial Line Internet Protocol (SLIP) allows Windows NT RAS clients to connect to third-party remote access servers that use the SLIP remote communication standard. Clients can use SLIP only if the port for the Phonebook entry is a serial COM port. When a user connects to a SLIP server, a Windows Terminal dialog box pops up for an interactive logon session with the UNIX SLIP server. The UNIX logon overrides and prevents the RAS logon from appearing. After a connection is established, remote network access becomes transparent to the user. IPX is the native NetWare protocol used on many Novell networks. Because it is a routable protocol, IPX is suitable for enterprise-wide networks. This section explains how to integrate Windows NT RAS clients and servers into a NetWare IPX network. If Windows NT RAS computers must see a Novell NetWare network, the client computer must run a NetWare redirector. In Windows NT Workstation computers this redirector is called the Client Service for NetWare and in Windows NT Server computers this is called the Gateway Service for NetWare. A Windows NT RAS server is also an IPX router and Service Advertising Protocol (SAP) agent for RAS clients only. RAS servers and their clients use the PPP IPX Configuration Protocol (IPXCP) defined in RFC 1552 to configure the remote access line for IPX. Once configured, RAS servers enable file and print services and the use of Windows Sockets applications over IPX on the NetWare network for RAS clients. RAS servers provide clients connecting to an IPX network with an IPX net number and act as their SAP agent. The following section explains the addressing options available for Windows NT RAS using the IPX protocol. For information about installing the connectivity services on a NetWare/Windows NT interconnected network, see Chapter 13 "Gateway Service for NetWare." RAS clients are always provided an IPX address by the RAS server. The IPX network number is either generated automatically by the RAS server, or a static pool of network numbers is given to the RAS server for assignment to RAS clients. For automatically generated IPX network numbers, the Windows NT RAS server uses the NetWare Router Information Protocol (RIP) to determine an IPX network number that is not in use in the IPX network. The RAS server assigns that number to the remote client. You can override the automatic assignments of network numbers. Manual assignments can be useful if you want more control of network number assignments for security or monitoring. When assigning IPX network numbers to a RAS server, ensure that duplicate network numbers are not assigned and that other NetWare services cannot assign the RAS IPX addresses. You can also assign the same network number to all clients to minimize RIP announcements from the RAS server. For information about IPX addressing, see Chapter 13 "Gateway Service for NetWare." NetBEUI is suited for use in small workgroups or LANs. A NetBIOS gateway and the NetBEUI client protocol are installed by default on all Windows NT RAS servers and on most Windows networking clients. Previous versions of Windows NT RAS clients, LAN Manager RAS clients, MS-DOS RAS clients, and Windows for Workgroups RAS clients require NetBEUI. Remote access protocols control transmission of data over the wide-area network (WAN). The operating system and LAN protocol(s) used on remote access clients and servers dictate which remote access protocol your clients will use. The remote access protocols are of four types: Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), Microsoft RAS Protocol, and NetBIOS Gateway. Windows NT supports the Point-to-Point Protocol (PPP) in RAS. PPP is a set of industry standard framing and authentication protocols that enable remote access solutions to interoperate in a multi-vendor network. Microsoft recommends that you use PPP because of its flexiblity and its role as an industry standard as well as for future flexibility with client and server hardware and software. PPP support enables computers running Windows NT to dial into remote networks through any server that complies with the PPP standard. PPP compliance also enables a Windows NT Server computer to receive calls from, and provide network access to, other vendors' remote access software. The PPP architecture also enables clients to load any combination of IPX, TCP/IP, and NetBEUI. Applications written to the Windows Sockets, NetBIOS, or IPX interface can be run on a remote Windows NT Workstation computer. The following picture illustrates the PPP architecture of RAS: Figure 1.13 PPP Architecture of RAS PPP has become the standard for remote access. Remote Access protocol standards are defined in Requests for Comments (RFCs), which are published by the Internet Engineering Task Force and other working groups. The RFCs supported in this version of Windows NT RAS are RFC 1549 PPP in HDLC Framing RFC 1552 The PPP Internetwork Packet Exchange Control Protocol (IPXCP) RFC 1334 PPP Authentication Protocols RFC 1332 The PPP Internet Protocol Control Protocol (IPCP) RFC 1661 Link Control Protocol (LCP) RFC 1717 PPP Multilink Protocol If your remote clients connect to third-party PPP servers, they might need to enable a post-connect terminal script to log on to the PPP server. After the server informs them it is switching to PPP framing mode, the user must start Terminal to complete logon. Upon connecting to a remote computer, PPP negotiation begins: Framing rules are established between the remote computer and server. This allows continued communication (frame transfer) to occur. The RAS server then authenticates the remote user using the PPP authentication protocols (PAP, CHAP, SPAP). The protocols invoked depend on the security configurations of the remote client and server. Once authenticated, the Network Control Protocols (NCPs) enable and configure the server for the LAN protocol used on the remote client. When the PPP connection sequence has completed successfully, the remote client and RAS server can begin to transfer data using any supported protocol, such as Windows Sockets, RPC, or NetBIOS. The following figure illustrates the location of the PPP protocol on the OSI model. Figure 1.14 Location of the PPP Protocol on the OSI Model If your remote client is configured to use the NetBIOS gateway or SLIP, this sequence is invalid. Serial Line Internet Protocol (SLIP) is an older remote access standard typically used by UNIX® remote access servers. Windows NT Remote Access clients support SLIP and can connect to any remote access server using the SLIP standard. This permits Windows NT version 3.5 clients to connect to the large installed base of UNIX servers. The Windows NT Remote Access server does not support SLIP clients. The RFCs supported in this version of Windows NT RAS are RFC 1144 Compressing TCP/IP Headers for Low-Speed Serial Links RFC 1055 A Nonstandard for Transmission of IP Datagrams Over Serial Lines: SLIP The Microsoft RAS protocol is a proprietary remote access protocol supporting the NetBIOS standard. The Microsoft RAS protocol is supported in all previous versions of Microsoft RAS and is used on Windows NT version 3.1, Windows for Workgroups, MS-DOS, and LAN Manager clients. A RAS client dialing into an older version of Windows (Windows NT version 3.1 or Windows for Workgroups) must use the NetBEUI protocol. The RAS server then acts as a "gateway" for the remote client, providing access to servers that use the NetBEUI, TCP/IP, or IPX protocols. Windows NT continues to support NetBIOS gateways, the architecture used in previous version of Windows NT and LAN Manager. Remote users connect using NetBEUI, and the RAS server translates packets, if necessary, to IPX or TCP/IP. This enables users to share network resources in a multi-protocol LAN but prevents them from running applications which rely on IPX or TCP/IP on the client. The NetBIOS gateway is used by default when remote clients are using NetBEUI. The following figure illustrates the NetBIOS gateway architecture of RAS. Figure 1.15 NetBIOS Gateway Architecture of RAS An example of the NetBIOS gateway capability is remote network access for Lotus® Notes® users. Although Lotus Notes does offer dial-up connectivity, dial up is limited to the Notes application. RAS complements this connectivity by providing a low-cost, high-performance remote network connection for Notes users which not only connects Notes, but offers file and print services, and access to other network resources. Clients can connect to servers through phone lines and modems, ISDN, X.25, RS-232C null modem, or Point-to-Point Tunneling Protocol (PPTP). The following sections describe these options. The most common WAN connection is a standard og telephone line and a modem. Standard og phone lines are available worldwide and will meet most RAS needs for roving users. Note Standard og phone lines are also called PSTN (Public Switched Telephone Network) or POTS (Plain-old Telephone Service).Nearly 200 modems are compatible with Windows NT. Most modems that comply with industry standards should interoperate. However, many difficult-to-detect problems can come from incompatible modems. To prevent such problems, use the same modem on clients and servers. Modems are automatically detected. Automatic modem detection is especially useful for users who are not sure what modem is installed (for example, an internal modem). Third-party modem pools can be used on either the client side or the server side. Modem pools are made available to RAS through the Network icon in Control Panel. Consult your modem pool documentation for more information. Modem data compression and error control are available. However, built-in software compression offers enhanced performance over modem data compression. For more information about modems, see the "Choosing Modems" section in Chapter 6, "Installing and Configuring Remote Access Service." To enhance WAN speeds at a stationary remote site or at sites that will use RAS, use an Integrated Services Digital Network (ISDN) line. Whereas standard phone lines typically transmit at 9600 bits per second (bps), ISDN lines can transmit at speeds of 64 or 128 kilobits per second. An ISDN line must be installed by the phone company at both the server and at the remote site. ISDN also requires that an ISDN card be installed in place of a modem in both the server and remote client. Costs for ISDN equipment and lines can be higher than standard modems and phone lines. However, the speed of communication reduces the duration of connections, possibly saving toll charges. For more information about how to install and configure ISDN cards, see RAS online Help. X.25 is a standard packet-switching communication protocol (or transport) designed for WAN connectivity. Windows NT RAS suppports connections based on the X.25 standard using Packet Assemblers/Disassemblers (PADs) and X.25 smart cards. You can also use a modem and special dial-up X.25 carriers (such as Sprintnet and Infonet®) in place of a PAD or smart card on RAS clients. For more information about RAS and X.25, see RAS online Help or Chapter 9, "X.25 PAD Support." The following illustration shows how a client connects to the Remote Access server through a dial-up PAD and the X.25 network. How a Remote Access Client Connects to the Server Through a Dial-Up PAD Suppose two or more networks are in the same location but are not physically connected. To use resources on both networks from one computer, use an RS-232C null modem. The client connects an RS-232C cable from a COM port to a COM port on the RAS server. RAS is used to create network access. An RS-232C null modem can also be used as a substitute for a network card in a computer located physically near (less than 50 feet of cable) a RAS server. A RAS server is usually connected to a PSTN, ISDN, or X.25 network, allowing remote users to access a server through these networks. RAS now allows remote users access through the Internet by using the new Point-to-Point Tunneling Protocol (PPTP). PPTP is a new networking technology that supports multiprotocol virtual private networks (VPNs), enabling remote users to access corporate networks securely across the Internet by dialing into an Internet Service Provider (ISP) or by connecting directly to the Internet. PPTP offers the following advantages: Lower Transmission Costs Lower Hardware Costs Lower Administrative Overhead Enhanced Security For more information, see Chapter 11, "Point-to-Point Tunneling Protocol." Windows NT is a secure operating environment, designed to meet the requirements of C-2 level (U.S. Department of Defense) security: Access to system resources can be discretely controlled. All system access can be recorded and audited. Access to the system requires a password and leaves an audit trail. Windows NT Server uses a trusted domain, single-network logon model:. Users and groups of one domain can be granted access to resources in a trusting domain. After being authenticated, users carry access credentials that are presented whenever access to a resource is requested on the network. A Windows NT Server computer—provided it is secured physically—can be locked-down using software. This single-network logon model extends to RAS users. RAS access is granted from the pool of all Windows NT user accounts. An administrator grants the right to dial into the network, and users then use their domain login to connect via RAS. After being authenticated by RAS, users can use resources throughout the domain and in any trusted domains. Finally, Windows NT provides the Event Viewer for auditing. All system, application, and security events are recorded to a central secure database which, with proper privileges, can be viewed from anywhere on the network. Attempts to violate system security, to start or stop services without authorization, or to gain access to protected resources, are recorded in the Event Log and can be viewed by the administrator. For more information on RAS authentication and security features such as Data Encryption and Callback, see Chapter 7, " RAS Security."